Overview

overview

9

Static

static

7

Setup.exe

windows7-x64

9

Setup.exe

windows10-2004-x64

9

langs/Hungarian.ps1

windows7-x64

1

langs/Hungarian.ps1

windows10-2004-x64

1

langs/Korean.ps1

windows7-x64

1

langs/Korean.ps1

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup.zip

  • Size

    7.4MB

  • Sample

    220811-3aqw9agag2

  • MD5

    53099a4bb4ff68f5bcab4c3570339339

  • SHA1

    d74279894736e8663881eb7530a2aa93a1f9dc04

  • SHA256

    d5022679519622be7d0cec61a50e20ee48b6407681c1f7b9092d1fbfcd58d02b

  • SHA512

    d563f997947c5e1cbb43f1eb50519354375873dd6bc242497816941cdfaa8c5d0556d37c78fc5b5486b30d25e90cf5e626927ec6642a37df6c6bc41eb7506f22

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      Setup.exe

    • Size

      386.1MB

    • MD5

      a79428b714ab958308457e3373c2bff5

    • SHA1

      693ff64bad8ae00aa7ea693aca846f0e695c1c99

    • SHA256

      b710d5f53a60bb381c1f67c83042aaa043a8464f96f44335a9633820c72deb58

    • SHA512

      eef9c067fafbdddaa0522222390cf7e73de2003cb3f92821f0b9fcdd52ad54aae96ba0c1584b2668b1d455926a0200853966f769c5fca3d6495fb2b5380d3405

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      langs/Hungarian.ini

    • Size

      107KB

    • MD5

      7591df7fae4342cbc7a0706e1b28e87b

    • SHA1

      825e88ad498e8713522f5aef3b21ee01d6fa8b41

    • SHA256

      fe9997629d296908247a2e82da6c369e2ea7eb4c87b12fc7c8d3ecb3e6fc320d

    • SHA512

      8f58c6fbaf5ea140a3ecbbc88cbf4bdd0e0ba3fbdf169f4b7cb831094a47a6ead103f89fc07748f91d1396ebd13c7ebcc90a316f0eb203ff4c86a50be5cd3ca4

    Score
    1/10
    behavioral3behavioral4

    • Target

      langs/Korean.ini

    • Size

      91KB

    • MD5

      efae0c78be2abe2920c78b9d4785ab45

    • SHA1

      8c0799fb68852cb071bbe260deb4ab357bd5f4ed

    • SHA256

      ad556989f6e4a683d9668e41d2d7175b7b46847c2eef26188b9075fc600d0132

    • SHA512

      44737be4d4bd0f93ca3e986c89102612932f3749b8e9b89446a567cff60ceb856b4bd7380da7fe3f1809579e6ec2162d0cdd4a217935a4961c6b36a482dd4ac8

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks